Roku-Based Smart TVs Open to Remote Takeover

Millions of smart TVs can be controlled by hackers exploiting a vulnerability in the Roku smart-TV platform, allowing them to pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content or kick the TV off the Wi-Fi network.

According to Consumer Reports, the remote takeover flaw affects Samsung and TCL televisions, the Roku Ultra set-top streaming device and other brands that use the Roku platform, including Hisense, Hitachi, Insignia, Philips, RCA and Sharp.

“We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn’t understand what was happening,” Consumer Reports said. “To a television viewer who didn’t know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set.”

The good news is that the problem does not allow a hacker to spy on the user or steal information.

The Roku vulnerability involves the application programming interface, or API. “Roku devices have a totally unsecured remote-control API enabled by default,” said Eason Goodale, lead engineer at Consumer Reports security partner Disconnect. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.”

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same Wi-Fi network as the television and then visit a site or download a mobile app with malicious code. Phishing emails or mobile malvertising could achieve this.

Roku pushed back on the idea that this is a vulnerability. “There is no security risk to our customers’ accounts or the Roku platform with the use of this API,” a Roku spokesperson said, noting that the External Control feature can be turned off in the settings. However, Consumer Reports noted that this will also disable control of the device through Roku’s own app, limiting functionality.

The Samsung vulnerability meanwhile can be exploited only if the user has installed a TV remote-control app on their mobile device. From there, visiting a malicious webpage using that device (again, this could be achieved by malicious, social-engineering emails) would execute the code.

“Samsung smart TVs attempt to ensure that only authorized applications can control the television,” Goodale said. “Unfortunately, the mechanism they use to ensure that applications have previously been authorized is flawed. It’s as though once you unlocked your door, the door would never lock again.”

Samsung, which said it’s evaluating the issue, told Consumer Reports: “We appreciate Consumer Reports’ alerting us to their potential concern.” The company said that a patch “will be in a 2018 update, [with timing] to be determined, but as soon as technically feasible.”

The advocacy group uncovered the vulnerabilities via testing based on its Digital Standard, which was developed in partnership with cybersecurity and privacy organizations to help set expectations for how manufacturers should handle privacy, security and other digital rights.

“The Digital Standard can be used to evaluate many products that collect data and connect to the internet,” says Maria Rerecich, who oversees electronics testing at Consumer Reports. “But smart TVs were a natural place to start.”

Further evaluation showed an additional problem: Smart TVs across the board also collect a raft of information on users, creating potential privacy concerns. For one, they identify every show a user watched, using automatic content recognition, or ACR. The viewing information can be combined with demographics data and used for targeted advertising.

The impact is widespread: 82 million smart TVs are in US consumer hands today, and they represent the lion’s share of new television purchases. According to market research firm IHS Markit, 69% of all new sets shipped in North America in 2017 were internet-capable, and the percentage is set to rise in 2018.

“These sets are growing in popularity, and they can transmit a remarkable amount of information about their users back to the TV manufacturers and their business partners,” Rerecich said. She added that in a recent Consumer Reports subscriber survey of 38,000 smart-TV owners, 51% were at least somewhat worried about the privacy implications of smart TVs, and 62% were at least somewhat worried about the sets’ security practices.

Sony responded to the criticism: “If a customer has any concerns about sharing information with Google/Android [they] need not connect their smart TV to the Internet or to Android servers to use the device as a television, for example, using cable or over-the-air broadcast signals.”

Consumer Reports noted that consumers can indeed limit data collection, but in order to do that, they have to give up a lot of the TVs’ functionality—and know the right buttons to click and settings to look for.